MongoDB Rights Management (RPM)

Mongodb database is not access control by default, the entire database is developed externally, as long as the database can be connected, you can do anything, which poses a great risk to the data. Of course, we can enable MONGODB access control so that only authenticated users can perform role-scoped operations on the database.

Enabling access control can be set by specifying parameters when starting MongoDB --auth , as well as creating user Db.createuser operations and defining roles, let's look at this section first.

Db.createuser () Usage

Db.createuser ({User: "$USERNAME",pwd: "$PASSWROD",roles: [{ role: "$ROLE _name", DB: "$DBNAME"}]})

Parameter description:

• User is the username
• PWD is the password.
• Role to specify the roles of the user
• DB to specify the owning database
• Roles is a collection of user-owned roles

MONGODB Pre-defined role

In Mongodb, some roles are pre-defined and assigned to the appropriate user, and the user can only perform role-scoped actions.

• Database user roles (all databases are available)
  • readUsers can read data from the current database
  • readWriteUsers can read and write data from the current database
• Database management roles (all databases are available)
  • dbAdminAdministrator user but cannot administer authorization to users and roles
  • dbOwnerDatabase owners can perform any administrative tasks
  • userAdminUsers and roles that can manage current data
• Cluster Management Role (Admin database available)
  • clusterAdminCluster all administrative permissions, yes clusterManager , clusterMonitor , the hostManager collection
  • clusterManagerCluster management and monitoring
  • clusterMonitorCluster monitoring, read-only
  • hostManagerMonitoring and managing servers
• Backup and recovery roles (Admin database available)
  • backup
  • restore
• All database roles (Admin database available)
  • readAnyDatabaseRead all databases
  • readWriteAnyDatabaseRead and write all databases
  • userAdminAnyDatabaseUseradmin Permissions for all databases
  • dbAdminAnyDatabaseDbAdmin Permissions for all databases
• Super Role (Admin database available)
  • rootSuper User
• Internal role
  • __systemAll Operations Permissions

For more information on roles, see: https://docs.mongodb.com/manual/core/security-built-in-roles/

To enable access control Step 1, launch the MongoDB instance, turn off access control

Not with--auth

./mongod

2. Connect to the MongoDB instance

./mongo

3, create a user administrator

In the admin database, add a user with a userAdminAnyDatabase role as the user administrative user. The following example creates the admin for the user administrator.

> Use adminswitched to DB admin> db.createuser ({... User: "admin",... pwd: "admin",... roles: [... {role: "Useradminanydatabase", DB: "admin"}...] ... }) Successfully added User: {"user": "admin","Roles": [{"role": " Useradminanydatabase "," db ": " admin "}]}>

Exit connection

4. Restart the database to enable access control

Command line startup, just add --auth parameters

./mongo--auth

or sudo vim/etc/mongod.conf

2.4

Auth = True

2.6 or more

security:

    authorization: enabled

5, there are two ways to use the administrative user connection

• Using the command line./mongo -u "$USERNAME" -p "$PASSWROD" --authenticationDatabase "admin"
• Using Db.auth ()

We use the second type of

> > Use adminswitched to DB admin> Db.auth ("admin", "admin")1>

1 indicates successful authentication

6, create an independent user for a database

The test database is created with read and write permissions for the user test

adminBecause the user userAdminAnyDatabase has only permission, so there is no test data read and Write permission, so in order to read and write the test database, we need to create a user. Let's take a look at admin it and report something wrong.

> Use test> Show collections-01-13t13:17.691+0800 E QUERY [thread1] Error:listcollections failed: { "OK": 0, "errmsg": "not authorized in test to execute command {listcollections:1.0, filter: {}}", "code": }: [Email protected]/mongo/shell/utils.js:: [Email Protected]/mongo/shell/db.js:773:1 [Email Protected]/mongo/shell/db.js:785: [Email Protected]/mongo/shell/db.js:796: [Email Protected]/mongo/shell/utils.js:754:9 [Email Protected]/mongo/shell/utils.js:651: @ (SHELLHELP2):1:1

We use directly show collections , then error: not authorized on test to execute command , meaning there is no permission.

> Use testswitched to DB test> db.createuser ({... User: "test",... pwd: "Test",... roles: [... { role: "ReadWrite", DB: "Test"}...] ... }) Successfully added User: {"user": "Test","Roles": [{"role": "ReadWrite", /c10>"db": "Test"}]}>

Then we use Db.auth ("Test", "Test"), and then execute the command without an error.

> Db.auth ("Test", "Test") 1> > Show Collections

Trying to write a piece of data is normal.

> Db.t.insert ({name: "Buzheng"}); Writeresult ({"ninserted": 1}) > Db.t.find (); {"_id": ObjectId ("58786c84bf5dd606ddfe1144"), "name": "Buzheng"}>

Transfer from https://buzheng.org/2017/20170114-mongodb-enable-access-control.html

MongoDB Rights Management (RPM)